Is Security Only Needed for Big Business?
Friday, May 8, 2009 18:35Most businesses I have dealt with over the years feel they are not a likely target for criminal activity. The majority of times I have been asked to evaluate security for a business have been after they have experienced some type of security incident. As with most of us, we feel like it will never happen to us or the security that we have implemented will be enough to discourage or stop someone from victimizing our business. From experience this is usually not true. For small to medium sized businesses, the effect of one major theft or cyber attack can be especially devastating.
On the physical side of the security picture, I can tell you that, like any business person, most criminals will evaluate risk versus return and pick the target with the lower risk with a greater chance of return. For example if you are planning on robbing a place, do you pick the bank or the local liquor store or mini-mart? The return at the bank can be greater but so is the risk (they are usually better prepared) so most robbers would pick the store. With cyber-crime or computer security issues, the same applies: the easiest target with the greatest return will be the usual target of most cyber-criminals. A lot of small businesses feel they are not valuable enough targets for these type of computer attacks.
So does this really matter? Is the small or medium-sized business anymore more likely to be attacked or a victim of crime than a larger business? Let’s look at some information related to small business and cyber-crime. McAfee completed a survey in 2008 related to small and medium-sized business with less than 1,000 employees, and results showed that nearly 20 percent said they had no security protection at all against online threats, yet 90 percent of the companies relied heavily on the internet for their business. Also, over half of the companies that felt they had adequate security trusted the default settings that came with their IT equipment or software. In addition, they found that a lot of smaller companies felt that the larger businesses are more at risk because that is where the money is, but in reality the opposite is true. McAfee’s information says that cyber-criminals actually prefer smaller businesses because they make easier targets. Smaller businesses are usually easier targets because they have less manpower and other resources to invest in security than do those in larger corporations. Most companies with revenues under 500 million dollars do not have full-time security staff. Similar findings have been noted by Gartner and Visa in a variety of articles that I have read over the past couple of years.
To answer the above question, small and medium-sized businesses are targets just like the big companies because:
- They, in most cases, have assets that others will find valuable.
- Their assets are usually not protected as well due to limited resources and staff.
It is hard most days just to keep up with the business side of things without adding all the security issues coming at you. Even so, businesses, no matter the size, do need to address the security issue.
In my opinion, the main problem for businesses is not always the lack of resources but not knowing what to commit those resources to. All measures you take must be geared towards making you a harder target. You cannot prevent the crime from occurring, but you can make it so criminals will find an easier target down the road. The purpose of this post is not to beat up on you but to make you aware of the need for security. A lot of times I have found businesses are aware of physical security issues because they are more visible, but computer security issues are not addressed because they are “invisible” despite being in front of you. In future posts, we will cover a variety of physical and IT security issues along with what can be done to reduce the risk.
Related posts: